1

We have our /home directories stored on a NetApp SVN, and are automounting them as NFSv4 with Kerberos. This seems to work flawlessly on RHEL7.x, however it will not work in Ubuntu 14.04 or 16.04 no matter what we try.

Both RHEL and Ubuntu are using SSSD and were joined to the same domain using realmd. I compared all the configs (krb5.conf, sssd.conf, resolv.conf, nsswitch.conf, idmapd.conf, all pam configs, etc) between RHEL and Ubuntu, and the settings are all identical.

I compared the installed pam, krb5, sssd, nfs etc packages in RHEL and have installed all the comparable packages on Ubuntu. All services have started successfully. Firewalls are completely disabled. Both RHEL and Ubuntu have SELinux disabled. Both have krb5.keytab files with the same service principals.

For some reason on the Ubuntu machines, when a user logs in, the sssd logs indicate that a service ticket is granted, but when you run a "klist" as that user only the TGT is listed.

With debugging on for autofs, on Ubuntu it shows:

attempting to mount entry /home/user
>> mount.nfs4: access denied by server while mounting 10.4.195.9:/NetAppSVM_Home/user
>> mount.nfs4: access denied by server while mounting 10.4.195.8:/NetAppSVM_Home/user
mount(nfs): nfs: mount failure files.uconn.edu:/NetAppSVM_Home/user on /home/user
failed to mount /home/user

Our /etc/auto.home on both RHEL and Ubuntu look like:

* -fstype=nfs4,sec=krb5,user=&,uid=$UID,gid=$GID,cruid=$UID files.univ.edu:/NetAppSVM_Home/&

Both machines are on the same subnet. Users are authenticated successfully, yet, for some reason, automounting the /home works on RHEL but not Ubuntu. I'd appreciate any direction here because at this point I'm just beating my head against the wall.

Thanks in advance!

drchrist68
  • 11
  • 1
  • 3
  • `failed to mount //files.server.edu/**home/user** (type nfs)` <-- that doesn't look the same as your config (I'd expect /NetAppSVM_Home/user there).. is that a typo from the hostname masking? –  Sep 15 '17 at 23:35
  • That was a typo on my part. Edited to reflect actual error (sans username). – drchrist68 Sep 16 '17 at 11:27
  • @yoonix Also, when I stop autofs and mount the share manually as root: `# mount -vvv -o sec=krb5 files.univ.edu:/NetAppSVM_Home/user /home/user`, the share mounts successfully and I can login as "user" and access /home/user. Something must be broken with autofs. – drchrist68 Sep 16 '17 at 12:03
  • I still cannot figure this out. I did see that the Ubuntu hosts did not have nfs/principals, but neither do the RHEL hosts, but RHEL works. Also Ubuntu used to work for the previous Kerberos domain, but not for the new one. Again, it is only Ubuntu that does not work in the new domain. I have looked at everything: Kerberos configuration, nfs-common, idmapd, sssd, autofs, iptables, PAM, everything, and cannot for the life of me figure out where the failure is. – drchrist68 Sep 25 '17 at 12:31
  • OK, I have a clue... I can automount (as CIFS in this case), but only after I have already logged in. At login, the mount command is passing UID=0 instead of my correct UID and is unable to obtain the service ticket: `Sep 26 07:10:47 ubuntu-ad cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=files.univ.edu;ip4=x.x.x.8;sec=krb5;uid=0x0;creduid=0x0;user=user;pid=0x4ba5` After logging in it passes my correct UID/CRUID. Any clue why this is? Thx – drchrist68 Sep 26 '17 at 11:53

0 Answers0